Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.5220
ruby-loofah security update
14 September 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ruby-loofah
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23516 CVE-2022-23515 CVE-2022-23514
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
Comment: CVSS (Max): 7.5 CVE-2022-23516 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: NIST
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3565-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
September 13, 2023 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : ruby-loofah
Version : 2.2.3-1+deb10u2
CVE ID : CVE-2022-23514 CVE-2022-23515 CVE-2022-23516
Debian Bug : 1026083
Multiple vulnerabilities were discovered in Loofah, a Ruby library for
HTML/XML transformation and sanitization. An attacker could launch
cross-site scripting (XSS) and denial-of-service (DoS) attacks through
crafted HTML/XML documents.
CVE-2022-23514
Inefficient regular expression that is susceptible to excessive
backtracking when attempting to sanitize certain SVG
attributes. This may lead to a denial of service through CPU
resource consumption.
CVE-2022-23515
Cross-site scripting via the image/svg+xml media type in data
URIs.
CVE-2022-23516
Loofah uses recursion for sanitizing CDATA sections, making it
susceptible to stack exhaustion and raising a SystemStackError
exception. This may lead to a denial of service through CPU
resource consumption.
For Debian 10 buster, these problems have been fixed in version
2.2.3-1+deb10u2.
We recommend that you upgrade your ruby-loofah packages.
For the detailed security status of ruby-loofah please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-loofah
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmUBzRgACgkQDTl9HeUl
XjAMXBAAm1NhBGBxyGR5/4g4/SMXjuqzWzqiYs2NRwmxhpq3v0ALZnwanseNuvtf
ryue5Lial9UFCnh7g758bFOmao3UesCtTOdQzDQOkJ0ri247UGEbYd3p2oL3+i8i
YSKoKscGiL3RQ+IpfNy25p4oT/6bvPn7FHKGudSRnKhMqYh8ttDi9DweMEjXgPnv
XijxcB8KSB6X8dGUZjRXRXsG8KUZOzbvGJzrb//8Fmc7qwZUSJNakS4mENpwYgxN
vZB5IfB9p9sB8x/mKyFHD5O/y8hryk5ujnG6F4BfPmL3rWpqxaYXo1ehq8yGqkAy
6t/37RjQv4g2IRC/wjABZjJ1QV69fS4ZIilQG/hQgwUNT89uF15lDHNrCpNU76VF
24zytYqb3OnbiPbmaa0r5VOgPLv+OSB53lLUFz009/OjMHtq2TNPz9rj+7staG/P
A2qmUgjx3waBoMYVXgcJ1sUhkf/tOlQVx797EWjiUYl4xxcT2L5rIr4tQzPaW74P
MSgJBeSIspOKf5F2vnPuoEKNJt63biH7sbp+CBYFlwcaJ4rS+YHc5W1Lxawm/21I
XYtPXpEiw08YLFCc4ITgMcuPUVFIFXYswyG0VaONyLmRjLjT1LlWDCeA69tZ58KP
ja+HaaQ6uSir3WEtsLTl1XStK6Ep9h1CBRPxsnY1Hlx6qtkIVn0=
=dRUb
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZQJmj8kNZI30y1K9AQivYQ/8DjEylaPhO9u2KvRgj3CNVarVSD6QVuMV
YLpPYLACUqwwre/Bi2jZsldSw3/LWchZWnK8Dq6QzA8CQzMx8l22wCUHQ+MdR2/H
95igonvDQOZxryrhXSVIwEwDnCZYQZ0mqtBHFck3O5SEnvCc9D/AU0/NjX+B+7UR
A+RhRfDbrwotE3hZVJo7suB0c6AFJfs9lGeAUNsY2RLS3cHcAP6ozkvCC2/ogFgX
qrZVmspZ9EV4so5R3wm9E35+cshzsVEdb0KJ4nczMqmNgtBLK6HtBjZMIvQbpI05
pFPAMZNaa79mww8XJhiEpoNUBrV3Xnz6pZ1i2nNM55diw6xgOakM7+oVs/wmnBwy
NDihm7rO0V/pbr1XgNymvzrjqAiG5BZBkrxZVToAmq4sHkx0z9Ri/KeJr2RN9Y4t
EW2n5RN7QkrFXn016dskyieRjsxHgujE2p36SuxrgAKguJPtF3A9oojft+p+cNw7
7RVPavXkBLEXBbSMKVApbnaZJU6d190UGE0oLeKKZqbkUX2NkokEtoThecXg3U5v
PTd8B/7Fp1BlIdGhHzt5DdUryh2H2Wpi5G7VxPuBp54lBn93WztsOYx6dz8cfTgE
R6qyD6n9ytxfjSYuOxL8fvj5yO5SwPv7LHUSc7IE0SEYWNDUPr262U87hMTjsG0s
dkFkD8GjRH4=
=YTdR
-----END PGP SIGNATURE-----